This is an informative English translation. The legally binding version of these documents is the Czech one.
Version: 1.0 · Effective from: 17 May 2026 · Last updated: 17 May 2026
Operator and controller of personal data: DataOps, s.r.o.
1. Introduction
This privacy policy describes what personal data we collect, how we use it and what rights you have in relation to that data. We value your privacy and act in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Act No. 110/2019 Coll., on personal data processing.
This policy applies to the use of the OSS Time application and the related website osstime.online.
2. Operator (controller of personal data)
| Item | Value |
|---|---|
| Business name | DataOps, s.r.o. |
| Registered office | U Školičky 1148, 253 01 Hostivice, Czech Republic |
| Company ID (IČO) | 19550731 |
| VAT ID (DIČ) | CZ19550731 |
| File number | C 388314, kept by the Municipal Court in Prague |
| Statutory body | Eva Martínová, Managing Director |
| Contact email | info@wearedataops.cz |
The Operator has not appointed a Data Protection Officer (DPO) — the processing does not reach a scope that would require an appointment.
3. Definition of roles
The OSS Time application functions as a platform for managing sports clubs. In this context we distinguish:
- Application user (club owner, coach, super admin) — we process their data to operate the account, handle the subscription and for communication.
- Club member (trainee, legal guardian) — here we are the processor, and the club is the controller.
Important: For club members' data, the controller is the club (the account owner), which determines the purpose and means of processing. The Operator (DataOps) acts in this role solely as a processor under Article 28 of the GDPR. Details are governed by a separate Data Processing Agreement (DPA), which is an annex to the Terms of Service.
4. What data we collect
4.1 Application users' data (we are the controller)
- Identification: email, first name, surname, phone (optional) — to create and operate the account and for communication.
- Authentication: password (hashed via Firebase Auth), or a Google / Apple OAuth identifier — for sign-in.
- Club data: club name, club Company ID, registered office, contacts — for billing, document generation and identification in the application.
- Subscription data: Stripe Customer ID, subscription status, billing details — for billing the service and the Customer Portal.
- Application usage data: access logs, UI language, preferences (light/dark mode) — for operation, support and statistics.
4.2 Club members' data (we are the processor)
On behalf of the club, we process the following about club members: first name and surname, date of birth, email, phone, barcode identifier, legal guardian details for minors, attendance, payments, membership programs, and possibly belts and gradings. This data is owned by the club, and the club decides who has access to it. Details are governed by the DPA.
4.3 Technical data (collected by our subprocessors)
During normal use of the application and website, our subprocessors (Firebase, Stripe, Google reCAPTCHA, Google Analytics — website only) automatically collect technical data: IP address, browser type and version, operating system, device, App Check token and access timestamps.
We do not store this data directly in our database. It is processed by our subprocessors in accordance with their own privacy policies (links in section 8) for the purposes of security, anti-bot protection, operation and statistics.
4.4 Sensitive data
The OSS Time application does not process special categories of personal data under Article 9 of the GDPR (health data, racial or ethnic origin, political opinions, etc.).
5. Purposes of processing and legal bases
| Category | Purpose | Legal basis |
|---|---|---|
| Account and billing | Service operation, performance of contractual obligations | Performance of a contract — Art. 6(1)(b) GDPR |
| Accounting documents, invoices | Compliance with a legal obligation | Legal obligation — Art. 6(1)(c) GDPR |
| Logs and security | Operation, protection against misuse | Legitimate interest — Art. 6(1)(f) GDPR |
| Club members' data | Performance of the contract between club and member | Club as controller (we act as processor) |
| Marketing communication | Information about news and events | Consent — Art. 6(1)(a) GDPR (opt-in) |
| Website analytics (osstime.online) | Measuring traffic, improving the website | Consent — Art. 6(1)(a) GDPR (cookie bar) |
6. Cookies and tracking
6.1 Marketing website (osstime.online)
The marketing website may use Google Analytics to measure traffic. These cookies are activated only with your consent — a cookie bar with a choice is shown on your first visit.
6.2 Application (app.osstime.online)
In the application we use only technically essential cookies and localStorage:
- Firebase Auth — keeping you signed in
- App Check / reCAPTCHA — protection against misuse
- LocalStorage — preferred language, light/dark mode, return to the last page after sign-in
We do not use analytics or marketing cookies in the application.
7. Retention period
| Type of data | Retention period |
|---|---|
| Active account and club data | For the entire duration of the subscription |
| After a club deletion request | 30 days in recoverable-deletion mode, then permanent removal |
| Audit record of club deletion | Permanently — without personal data, only club ID and name for accounting |
| Accounting documents (invoices, payments) | 10 years (Act No. 563/1991 Coll., on Accounting) |
| Access logs | Default Firebase Cloud Logging period (typically 30 days) |
| Email communication via Resend | According to the Resend provider's policy |
| Processing consents | For the duration of the consent + the statutory period for demonstrating it |
8. Subprocessors
| Subprocessor | Purpose | Country | Policy |
|---|---|---|---|
| Google Ireland Ltd. / Google LLC (Firebase, Google Cloud) | Hosting, database, authentication, Cloud Functions, Storage | EU (europe-west1, Belgium) | link |
| Resend, Inc. | Sending transactional emails | EU / USA | link |
| Stripe Payments Europe, Ltd. | Processing payments and subscriptions | EU / USA | link |
| Google reCAPTCHA / App Check | Protection against misuse and bots | Global (Google) | link |
| Google Analytics (website only) | Measuring website traffic | Global (Google) | link |
9. International transfers
Some of our subprocessors (Stripe, Resend, Google) may process data outside the European Economic Area (EEA), in particular in the USA. In such cases we ensure the transfer complies with the GDPR — either on the basis of Standard Contractual Clauses (SCC) adopted by the European Commission, or through the EU-U.S. Data Privacy Framework.
10. Your rights
As a data subject, you have the following rights under the GDPR:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17) — a club owner can delete the club self-service in the application with a 30-day recovery window, after which the data is permanently removed
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — given the sensitivity of club members' data, we provide exports upon a written request (see below)
- Right to object (Art. 21)
- Right not to be subject to automated decision-making (Art. 22) — not applicable
- Right to lodge a complaint with a supervisory authority — the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz
10.1 Procedure for exercising rights
Send your request to info@wearedataops.cz.
Given the sensitivity of the data we manage (in particular the personal data of club members, including minors), requests for export or erasure require verification of the applicant's identity using the following procedure:
- The request must be sent from the email registered as the club owner's contact.
- The Operator verifies identity with a return email containing a verification code, which the applicant sends back.
- In justified cases, the Operator may request additional verification — for example via invoices, another contact in the club profile, or by phone.
- After verification, the data is provided in a password-protected archive, with the password sent via a second communication channel.
We will handle the request no later than 30 days after identity verification.
11. Security
To protect your personal data we use, in particular:
- Encrypted connection (HTTPS / TLS) for all communication
- Password hashing via Firebase Auth
- Optional two-factor authentication (Google / Apple Sign-In)
- Regular backups within the Firebase infrastructure
- Access rules (Firestore Security Rules) ensuring clubs cannot see each other's data
- App Check and reCAPTCHA as protection against automated misuse
In the event of a personal data breach, we act pursuant to Articles 33 and 34 of the GDPR — we report the incident to the Office for Personal Data Protection within 72 hours and, in the case of high risk, also inform the affected data subjects.
12. Children and minors
The OSS Time application is intended exclusively for operators of sports clubs (legal entities) with full legal capacity. The club is the controller of its members' data — including minors — and is responsible for obtaining guardians' consents for processing children's data. The application provides the club with the technical means for this (a mandatory legal guardian for minor members, consents in the registration form).
The Operator (DataOps) does not process children's data as a controller — always only as a processor on behalf of the club.
13. Marketing communication
If you give us your consent, we may send you information about news, new features and events of the OSS Time service. Consent can be withdrawn at any time — either by clicking the unsubscribe link in the email or by sending a request to info@wearedataops.cz.
14. Changes to this policy
We may update this policy from time to time. We will inform you of material changes by email at least 30 days before they take effect. The current version is always available at osstime.online/ochrana-osobnich-udaju. We maintain the version history internally and will provide it on request.
15. Contact
For any questions or requests regarding the protection of personal data, contact us at:
DataOps, s.r.o. U Školičky 1148, 253 01 Hostivice, Czech Republic Company ID: 19550731 · VAT ID: CZ19550731 Email: info@wearedataops.cz